Note that there are RLIMIT_NPROC - 1 processes currently active in the system under the ownership of RATC

Detecting the death of adbd, adb restarts it. When adb is restarted, it has multiple tasks to accomplish for which it has to run as the root user. The details of which are not crystal clear to me at the moment.

Once these tasks are accomplished, it lowers its privileges to AID_SHELL by running

setgid(AID_SHELL);
setuid(AID_SHELL);

RATC spawns another process at the same time

if (fork() == 0) {
fork();
for (;;)
sleep(0x743C);
}

This is a race condition between RATC and the adb-server, as to which of the two would get to spawn that last process and hit the NPROC_RLIMIT limit, thereby preventing the other from successfully executing.
In case RATC wins the race and successfully spawns a stub process, NPROC_RLIMIT would be reached and adb’s attempt to setuid(AID_SHELL) would fail and it will continue to run as root.
The flaw here is that, the return condition of the setuid() is not checked. All the user needs to do now is to spawn a shell from adb and the parent’s privileges would be transferred to the shell which would run as root.

In case, adb wins the race and is able to setuid() successfully, then the fork() in RATC fails and so does the user’s attempt to gain root access. All the user can do is to redo this entire method yet again.